be2c1e8b419d8f8e85fb7a4a4e6a6c908244ee9520f9657da932c23cf7ed4ddb

Analysis

max time kernel
293s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerISO8-x64.exe
Size

4.9MB
MD5

d884550a8b075167353db3bc9118dd18
SHA1

5975cbc800d452546a0ec7456d19fccc15ed085a
SHA256

be2c1e8b419d8f8e85fb7a4a4e6a6c908244ee9520f9657da932c23cf7ed4ddb
SHA512

0ec1d112ddb81485c87c68d47e46607e66f7ba60860eea6bb647560ae766af4f41fda002c329de7981fc1a15b5ceffc18fc57c86f42f70bbde427db65027f9bf
SSDEEP

98304:Mu69FGH5tiGVX3FFi1m3fNwyZCe35LC7phV3+0pE34HVdL+8:l69sH54G5uINdZCeJwphQoVdK8

Score

8^/10

bootkit discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe
File opened for modification	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	PowerISO8-x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	PowerISO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	PowerISO.exe

Executes dropped EXE 7 IoCs

pid	Process
2512	devcon.exe
920	setup64.exe
408	PWRISOVM.EXE
3636	PowerISO.exe
5716	PowerISO-Keygen-R2R.exe
5864	keygen.exe
5852	PowerISO.exe

Loads dropped DLL 15 IoCs

pid	Process
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
3296	regsvr32.exe
2580	regsvr32.exe
3636	PowerISO.exe
3152	regsvr32.exe
5864	keygen.exe
5864	keygen.exe
5864	keygen.exe
5852	PowerISO.exe
3468	regsvr32.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5864-759-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/5864-771-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/5864-782-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/5864-790-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/5864-793-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	PowerISO8-x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	PowerISO8-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	PowerISO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
310	raw.githubusercontent.com
311	raw.githubusercontent.com
312	raw.githubusercontent.com
313	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerISO.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files\PowerISO\Lang\Indonesian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Readme.txt	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\kazakh.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Burmese.lng	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\PowerISO.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\7z-x64.dll	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\SimpChinese.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Turkish.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Ukrainian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Belarusian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Finnish.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\french.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Lithuanian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\croatian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Slovak.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Korean.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Serbian(cyrl).lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\lame_enc.dll	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\libvorbis.DLL	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Greek.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Portuguese(Brazil).lng	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\PWRISOVM.EXE	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\danish.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\uninstall.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\MACDll.DLL	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\devcon.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Italian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Dutch.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\piso.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\libFLAC.DLL	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\czech.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Norsk.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\German.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Swedish.lng	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\PWRISOSH.DLL	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\slovenian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Thai.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Malay.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Romanian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\setup64.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\TradChinese.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Arabic.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Armenian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Bulgarian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Vietnamese.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Azerbaijani.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\unrar64.dll	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Spanish.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Hungarian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Russian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Farsi.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Urdu(Pakistan).lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\License.txt	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\PWRISOVM.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Polish.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Japanese.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Bosnian.lng	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\PowerISO.chm	PowerISO8-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00090000000234e4-736.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\OpenWithProgids	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nrg	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b5i	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "PowerISO"	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bwi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmg	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bif	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gi	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command\ = "\"C:\\Program Files\\PowerISO\\PowerISO.exe\" \"%1\""	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon\ = "C:\\Program Files\\PowerISO\\PowerISO.exe,0"	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\ = "PowerISO File"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fcd	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flp	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncd	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.p01	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	PowerISO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wim	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.c2d	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	PowerISO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashdisc	PowerISO8-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\PowerISO-Keygen-R2R.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe
2740	PowerISO8-x64.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2740	PowerISO8-x64.exe
3636	PowerISO.exe
5852	PowerISO.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	PowerISO8-x64.exe
Token: SeShutdownPrivilege	2740	PowerISO8-x64.exe
Token: SeCreatePagefilePrivilege	2740	PowerISO8-x64.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeDebugPrivilege	3580	firefox.exe
Token: SeDebugPrivilege	3580	firefox.exe
Token: 33	6120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6120	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3636	PowerISO.exe
3636	PowerISO.exe
3636	PowerISO.exe
3580	firefox.exe
3580	firefox.exe
3580	firefox.exe
3580	firefox.exe
5864	keygen.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3580	firefox.exe
3580	firefox.exe
3580	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
408	PWRISOVM.EXE
408	PWRISOVM.EXE
3636	PowerISO.exe
3636	PowerISO.exe
3636	PowerISO.exe
3580	firefox.exe
3580	firefox.exe
3580	firefox.exe
3580	firefox.exe
5852	PowerISO.exe
5852	PowerISO.exe
5852	PowerISO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2576	2740	PowerISO8-x64.exe	109
PID 2740 wrote to memory of 2576	2740	PowerISO8-x64.exe	109
PID 2740 wrote to memory of 2576	2740	PowerISO8-x64.exe	109
PID 2740 wrote to memory of 2512	2740	PowerISO8-x64.exe	110
PID 2740 wrote to memory of 2512	2740	PowerISO8-x64.exe	110
PID 2740 wrote to memory of 920	2740	PowerISO8-x64.exe	111
PID 2740 wrote to memory of 920	2740	PowerISO8-x64.exe	111
PID 2740 wrote to memory of 3296	2740	PowerISO8-x64.exe	115
PID 2740 wrote to memory of 3296	2740	PowerISO8-x64.exe	115
PID 2740 wrote to memory of 3296	2740	PowerISO8-x64.exe	115
PID 2740 wrote to memory of 408	2740	PowerISO8-x64.exe	116
PID 2740 wrote to memory of 408	2740	PowerISO8-x64.exe	116
PID 3296 wrote to memory of 2580	3296	regsvr32.exe	117
PID 3296 wrote to memory of 2580	3296	regsvr32.exe	117
PID 2740 wrote to memory of 2080	2740	PowerISO8-x64.exe	120
PID 2740 wrote to memory of 2080	2740	PowerISO8-x64.exe	120
PID 3636 wrote to memory of 3152	3636	PowerISO.exe	129
PID 3636 wrote to memory of 3152	3636	PowerISO.exe	129
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3232 wrote to memory of 3580	3232	firefox.exe	145
PID 3580 wrote to memory of 4716	3580	firefox.exe	146
PID 3580 wrote to memory of 4716	3580	firefox.exe	146
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147
PID 3580 wrote to memory of 2992	3580	firefox.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PowerISO8-x64.exe
"C:\Users\Admin\AppData\Local\Temp\PowerISO8-x64.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  PID:2576
- C:\Program Files\PowerISO\devcon.exe
  "C:\Program Files\PowerISO\devcon.exe" remove *scdbusDevice
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2512
- C:\Program Files\PowerISO\setup64.exe
  "C:\Program Files\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nstF5DD.tmp "C:\Windows\system32\Drivers\scdemu.sys"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:920
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2580
- C:\Program Files\PowerISO\PWRISOVM.EXE
  "C:\Program Files\PowerISO\PWRISOVM.EXE" 999
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.poweriso.com/thankyou.htm
  2⤵
  PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1308 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
1⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5732 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:1
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5392 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:1
1⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5440 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:1
1⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5612 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
1⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5516 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:1
1⤵
PID:1804

C:\Program Files\PowerISO\PowerISO.exe
"C:\Program Files\PowerISO\PowerISO.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5644 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
1⤵
PID:4400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.0.37286408\231817394" -parentBuildID 20221007134813 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2dc3534-da06-4ed4-96f3-c07b8e7f943c} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 1864 238294cbe58 gpu
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.1.1578386803\1131232917" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbd6fae2-9e24-4d9e-9aaa-d6a17150c1b5} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 2396 238291f2b58 socket
    3⤵
    PID:2992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.2.1648040963\851203061" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3084 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2acc2ea3-e6f9-424c-9326-53c200b5314d} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 3348 2382945e258 tab
    3⤵
    PID:3300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.3.1045474263\499453877" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374af972-2fb8-4f30-a7ac-f16810e3c313} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 3628 2382bfaee58 tab
    3⤵
    PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.4.666044880\2014599210" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4504 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c0fe46-3a70-43fa-b05e-0eae4029b875} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 4452 2382e857e58 tab
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.5.1699615448\1831698525" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4900 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3e0d988-a674-4373-81bf-d913d10bf724} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 4988 2382d46c458 tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.6.1262742212\1371870871" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e37bc617-6317-4814-acb3-86b4e0b14e83} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5112 2382d46d058 tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.7.781476717\205300546" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88c1feb3-b6c5-4b12-8b12-e4603423a7d8} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5380 2382d46df58 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.8.1678143122\387098658" -childID 7 -isForBrowser -prefsHandle 4572 -prefMapHandle 4560 -prefsLen 26285 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c484e896-5320-4f90-9a31-17aa5cfc7420} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 4412 2382bc92d58 tab
    3⤵
    PID:5420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.9.1528223359\1238831656" -childID 8 -isForBrowser -prefsHandle 4592 -prefMapHandle 5784 -prefsLen 26285 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5db0f7f-2e0e-4ece-9410-e21d9a3d1d1a} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 4412 2382c894e58 tab
    3⤵
    PID:212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.10.477167640\229941583" -parentBuildID 20221007134813 -prefsHandle 3320 -prefMapHandle 5944 -prefsLen 26285 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06d515f-5568-4445-a08e-dec52789eee9} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5728 2382c896058 rdd
    3⤵
    PID:752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.11.988108126\1104293993" -childID 9 -isForBrowser -prefsHandle 3580 -prefMapHandle 5348 -prefsLen 26460 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dca37561-45e4-4bd8-8085-83bb92fdfd03} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5212 23829461858 tab
    3⤵
    PID:5700
- - C:\Users\Admin\Downloads\PowerISO-Keygen-R2R.exe
    "C:\Users\Admin\Downloads\PowerISO-Keygen-R2R.exe"
    3⤵
    - Executes dropped EXE
    PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      C:\Users\Admin\AppData\Local\Temp\keygen.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:5864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Program Files\PowerISO\PowerISO.exe
"C:\Program Files\PowerISO\PowerISO.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5852
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PowerISO\7z-x64.dll

Filesize
1.7MB

MD5
e3d086ce6d5afb8452886e5449be5230

SHA1
5f5e3ecd6ab6dfe134d4ba0fb3106ef72a6c6fa5

SHA256
153720adca6a15890d574a8d5471e73221f129b4a20ca2fbbf6a50072b6e0a39

SHA512
4a80b83038f5a2c3d3301e718ab7b439d3c6360ab0abe8219eab837f2f13800c900d90bb6148db01d2bffe9da1aefcadaa1564032d6cf80219567b07d5e65e6c

Download Submit
C:\Program Files\PowerISO\Lang\Arabic.lng

Filesize
44KB

MD5
df394959eb900bc4500324b7e1a674f1

SHA1
3e5863b8e7a70f5c963342cb07bf219c3033fb96

SHA256
566220bd0badc31c82ceedce53cb17b8c009e2ae5c1df4e32690274d3511b014

SHA512
4ab2832e0e6028b3911d9f758788a0f3aa710b8bec1cc215d381e4ea0017f4ce2240bb3f38778c1d62c33c364117c3ac70091383f2deff72d4d971f10125d47d

Download Submit
C:\Program Files\PowerISO\Lang\Armenian.lng

Filesize
47KB

MD5
39a9944552e746501be30e128f511471

SHA1
007dfade843e60a58a32c8fed705e7a8b60abfe4

SHA256
75b9ed8ead6235aa0caedab794b353e3a74957f82d3c0c938a1dffcfe9f54bab

SHA512
3009dcdb35344c19ccced8ee1b523d0e17c54dabf7faa4eba988409893e7bdbb5ffdb4bc21065568c59de94e21ddd1b3e47791abdb73f8b5e3a9cbd72a262b79

Download Submit
C:\Program Files\PowerISO\Lang\Azerbaijani.lng

Filesize
48KB

MD5
78a717846a059de665e889e05313ea9a

SHA1
67737ad90520e588d7271bd42fc0c1333b442a8c

SHA256
696307e616727c3ef2b791916d4a340cac85c6ede86bed1b0322e5e37ca66043

SHA512
a08944180c73786f16dea1ca18e9819805077e8da778e989c7cd910bcca33a8a310a516d7361158f34e099594716218471a149a3c04a94a654d9b9056cfc7209

Download Submit
C:\Program Files\PowerISO\Lang\Belarusian.lng

Filesize
89KB

MD5
52374ebf32ba06f759a20a644dbbe838

SHA1
b7d5e06a7fe1ba3d7979e90689cc0f8312517921

SHA256
7e80b73e66232e8ca164aded1a08f63fabe65e4e38859963e6d5541f7f7ab300

SHA512
15802e6ef85bcc1f1816d5794f5d156f27f32443943c3feaff1f0d94e656396f54cfc5adf22d50e214349334126ad3135656b434c8712aeb60b1aee17e21098a

Download Submit
C:\Program Files\PowerISO\Lang\Bosnian.lng

Filesize
57KB

MD5
27e3f9caf5c2f6f56d05839db1f55dd1

SHA1
4d2b7f09246d97cf6d96cb0c1374093d197a7a8d

SHA256
7be27864827af5ffeb2b8582f52d47eee58ffe84719512cfe721720abc5383c7

SHA512
bfa56a4a410bd66f3e73555c932369a14508a390847c25b21e95e3ad4e22ba93d9251bf41e0c0454f883bed8bac57f6fe19bfb9234dafa3c6e0dc48268c2ddbe

Download Submit
C:\Program Files\PowerISO\Lang\Bulgarian.lng

Filesize
106KB

MD5
fa5b927ed89b89022006fe42de40e477

SHA1
2e5b11b632f2ffd6fff2ba4604ac9bb0a783ff27

SHA256
ec7a79df223d5a3851f962bf21855dbe09dc0768e6cc6e5803526e2e16089c6f

SHA512
ce33319f21e8b1a95a3302199ac92be84c73899b7f16ef5f3e50ef70f0b8c62cf15f83dbd1d1ec27a5feedbfdb74cae2e7f77a93ddbae9c6d0f773cc348e898b

Download Submit
C:\Program Files\PowerISO\Lang\Burmese.lng

Filesize
109KB

MD5
b0814ff5068c5806b71b5fb9c24b4a46

SHA1
804403aa5fcef63387205fe287e813ddda52185d

SHA256
d1f70357189e209f1fc73d59173086c164cd6386d7fa18c2ad118d6d3a1281e6

SHA512
c9c3b6b2d7d9e4d228cc3dd53f8f92bbf3d99b20710a4535430df18006dc1ad3547a3704f92a5c8ea35380cb3ca458960195ba08e077acdba87bbc5f4c88feb1

Download Submit
C:\Program Files\PowerISO\Lang\Dutch.lng

Filesize
111KB

MD5
45bed06275ca8abb2c4423c6453b7ecf

SHA1
bf85cd68a047f27968c886abd10395333647153b

SHA256
9c943144847227a9aa7c2705ce36a67a35dc1d85c1b17d6466b62116e9cb0af2

SHA512
e2a648a813327c5bab9e6efefddf1373bc925c269a8216b82a91d625ae96736a14a9f9c948c2d78d89db7c3ed6bc6548fbf72ae0422b701bb771b80576df6d2f

Download Submit
C:\Program Files\PowerISO\Lang\Farsi.lng

Filesize
51KB

MD5
197bcf165a0302fd910a683d9bddc63c

SHA1
a26f754fd4011225b9c02f13564a4428f50b3d39

SHA256
d3441d10af3bb133441c1658a0622b5ca69198ad04c84e4b74a92f9f02902485

SHA512
eb0de4994b883169a114f16cbc5c1f04a5497dc69c07817802509e23fd8f99761eb6d634b35a4b77c7d70f4295f24e5e874e38c668a57d718df14254be4d4472

Download Submit
C:\Program Files\PowerISO\Lang\Finnish.lng

Filesize
64KB

MD5
2f9aa74f68d74f574c29bf7c0b964358

SHA1
5d3c6026ec57837f373b8f5f2cc05043721db73b

SHA256
a28569aaa735d3fcf9934460b283e47a8c510ea80439c57ded797d7d767c9a47

SHA512
7bc0f83ac43b8cb4294ad4bf169c583f6b5948b92ac30a2626736bec204811a4562d3274819a7828ac787e22644e9f2ed2463fe3903ceccd98aa73c11811cb8a

Download Submit
C:\Program Files\PowerISO\Lang\German.lng

Filesize
114KB

MD5
05efc5b28e145190a0cb4b615ab1f5e8

SHA1
8b74c208910db181e871a61f6830651332e04591

SHA256
8fe3d31af7a105c136d99fba1b44a332abf15aa71a107b2d19d672df0a66a1d0

SHA512
f7c5fbeafdd460471565ea33d927fe94c6a6f7f3f42710cbab45157886a5153682a5797b8f07c0f954a772de17b01f4694cefbaadf3c5c96c1f90bebc2e302eb

Download Submit
C:\Program Files\PowerISO\Lang\Greek.lng

Filesize
115KB

MD5
fc4dedb73e9e7ea23341f0e06bdbd60f

SHA1
3aa8df019d70a474ae8918f8ac8847763360de3d

SHA256
48ad97a8671a0359e0f16ae4d43a14188bb3af4ae2d0870f31fd389b9c63e516

SHA512
c122c8477680fb7ff93b7f75df038c0c5e5544af9c435ee9708e434d34141fa975707ebe700a952da39bebf86dbc1f3d7739831e8a61ed5f3c24c1fdc0958fd6

Download Submit
C:\Program Files\PowerISO\Lang\Hungarian.lng

Filesize
111KB

MD5
acfad4e0377c532a87eaca9d3f560db2

SHA1
90aa58896c0bb7f8a860c80ba50c94855c8971f3

SHA256
aa25c68aa808f867b6ddbd782a86ec4f1c5e3871ddc32873e4ece57cf3915a08

SHA512
6328dc1b8e46eab9346af2d0b82f8ce36756d8ad8dcd3aa91dc009759d195ae94231a57272613bef5418c71560ee6396e28ac1526dd52dd677049855fb666ac6

Download Submit
C:\Program Files\PowerISO\Lang\Indonesian.lng

Filesize
73KB

MD5
590c45a771ec412f469d3fc512692bd4

SHA1
ca045c7d5995670f5d251542826739c43294cc62

SHA256
1832c7639f5ca292d617f7e61a502aad96ef40c38b5407ec84057aa63a250c86

SHA512
ac02f5306cb8dfdfc817dd73e172a203e446c198812452eed8f74116a85818fc67f8b8d7ff3beb98a0f5965e6e9f68194c8a539e602535b082788467404fa811

Download Submit
C:\Program Files\PowerISO\Lang\Italian.lng

Filesize
112KB

MD5
766381f22083ba756b40bd27def353cc

SHA1
ad347b7749839da75d2c38a7712fa38b585f1afd

SHA256
5112942389d0981c36797f1451fa336b5cef488ce49b9cc6b5d46cfa9357c1e3

SHA512
100308f58c2dc8e93783846400eb87aae40ef30fab79d99bd710cbae86ba7867cfe49ea263d021f0fdc33a74fc2d9d8db77151418a7289d294e80d7b2bd878a8

Download Submit
C:\Program Files\PowerISO\Lang\Japanese.lng

Filesize
39KB

MD5
23bc2f15ff712025997a0e018262cade

SHA1
d952f3a25635894fcf67a02134fdbb5d3505b70a

SHA256
502ad727c773c7fe4bea5c1644da44f03c311a7ec4d72d23fa4c619e18c53d5a

SHA512
860931180291caf139e500fb4ec58899fb3a7db57cffeb56db3d2dae0cf577848bcda6d26dd6e20a181ef6a678913b9883a62f5e07f787b59bce54e83d829bf9

Download Submit
C:\Program Files\PowerISO\Lang\Korean.lng

Filesize
60KB

MD5
cf3c23b6632a79b68c369a7151a0a8f2

SHA1
b921c9dcef4cd783eb27fd9e6d255fd7089ff893

SHA256
3b99082a2333c4e875122961dd25ce992c06f4add5eac103421fe61bf2788488

SHA512
f7fa214571468878788b5fe68467dfe0fc1edf70908ada8fc4c9035166a4aa4db04506e1b5038d545a058b64492eb8264b4729f6ac5e41e4e22fcee76f4e846e

Download Submit
C:\Program Files\PowerISO\Lang\Lithuanian.lng

Filesize
46KB

MD5
071ce70a4cd0fad14c843e8a02b159af

SHA1
64efcb326739650c9e6d480f33477ce1bc286537

SHA256
3c2103115e8d1f5251a5294605e2863387d9921a43530571cdb2bb43f63eba4d

SHA512
19004622d02add96b75bb920f4b772df014c307a9b2d4fb730cf68f4e4eb03d905138d44c2d92f957a081cdc3435016aef43ff3d2dd4c64f9b25cf5fa220eb8e

Download Submit
C:\Program Files\PowerISO\Lang\Malay.lng

Filesize
99KB

MD5
d4a0d165b3b632b6a35ab917dc1cd986

SHA1
fbacee30b074eaa6691fa5b267be25d7bb5d7a4a

SHA256
a82324b2fd056567f8a8e00e0d3058f39d920f691f719b704da48b96cdce7575

SHA512
1f5c25361901d7de61d2af557a06cbc08582a91521552fe3fb73cbff80ba82363d14d1b1448c173978e1d19269eb7f9a23575044e07dd6e101d8bdc1dea0c7de

Download Submit
C:\Program Files\PowerISO\Lang\Norsk.lng

Filesize
95KB

MD5
0f4841f83c8597bd7e11a152c924572e

SHA1
3401ae67615f52fb90322a968c531d11c82659a4

SHA256
04fcd3084b3759ea6ae31551c9b344fa1cd26b555fd9e9fe36c9313de72c9052

SHA512
c94e8ee36f347b948fa551941016b0f99613267901d089aba3fb53ef7759ca4071ca3df307f3bff6d04c8ef16b69a6d9cc85942357b49d26cd936bcf22a75259

Download Submit
C:\Program Files\PowerISO\Lang\Polish.lng

Filesize
107KB

MD5
a197d6aae21b87f4cca43d754ed77ba4

SHA1
fd11ba4462600872d5f2832da9ce1c07049eda82

SHA256
f927648298d7bf84a70b37261ecb9967903f8549cdae05adf625f664f78c2fac

SHA512
f713375a37a486a9c65ff8740a487157923351cb324ab4ca12569c02fc16075b542fa0a650becbca908109cc98841bf1ad40866360a8727f393970ce1b83cec2

Download Submit
C:\Program Files\PowerISO\Lang\Portuguese(Brazil).lng

Filesize
113KB

MD5
8c8f7d9612d468caab77ebba6af6605a

SHA1
49948c06b5c900ca86bea3437bf2d9ae34a31f32

SHA256
953131a00d676369db93e31c39d26919bdea16aa397aecf625f05708a8c809c2

SHA512
1a3fb2e597c0ace83c15762bd3d43070971541ecf769268ad138e36fea41356895790f95a0695be98ae0cbc0a68c31f550ffa5e5192283246f77e5d54ac72f66

Download Submit
C:\Program Files\PowerISO\Lang\Romanian.lng

Filesize
62KB

MD5
3486c3c25d06011ee04b79ab0727d996

SHA1
4b6b8304a509a9926821584ab76a1557adec0b14

SHA256
d1e4cc47e9491cab3cb58e5a7f101e47d0ce3429aad7fd4df962aa85e76d072e

SHA512
8e3a33b34eb33ceb372fb76c3c8544b95b24a1af92377457214c38c422015a9e414f1f062ff943731d8e8c44ee46ebbc8448b6a41bdf20ea1be5c90a4d1e0981

Download Submit
C:\Program Files\PowerISO\Lang\Russian.lng

Filesize
95KB

MD5
963c126ddc71fb8c461045f526dea843

SHA1
e8c620a5a1ab65f8ced98b72ec2ab80e97429ff5

SHA256
49f96df6dfd30bb10e3ed15dc0ffe65eaf173f96ae5edefeb0d83e2b66155aae

SHA512
abe24eaeaaa3dc460d8dfa622f1173c2741cf9a2b84a094fb290eb120b3c46c4b91a149ccf95dc5502f7a27e3684eab808f74eeb1c8054825f9f61745ecb0a2c

Download Submit
C:\Program Files\PowerISO\Lang\Serbian(cyrl).lng

Filesize
44KB

MD5
389bb2ac22ae877fa3f5ed445947b756

SHA1
fc7d50a469cbb6718ec4a0f6fb80559b7ca03498

SHA256
1cd7276031f5ed13f96b0d58a444be88a3aef11c5f2e32c41ef1248ef6555dc5

SHA512
a215825f9b8fdbaf0196d74ff1430c5e15c61aae2d816f29c4c7f396370e38b8dcf643eb8864d2f06a4aea8fae711146fb50c169b258c2c9bbd24f7e0ded9a0d

Download Submit
C:\Program Files\PowerISO\Lang\SimpChinese.lng

Filesize
42KB

MD5
0141ebfde7cf2b57d6e679be189dae36

SHA1
d49d0ec9aa37eca802e30716ce3b534bf00ab263

SHA256
9b17b55cabc0f7ae7485c62cda0b94868752d23ebc02df8b78cfbc2d2bd83f71

SHA512
fc972cb24f94b717cd0078d224ddd5ae6c54048eb0feb5dea42ebc1555aecea306f299c66d3d33292c39bb4f222502623080e06b08a3f1f3aa37a926f3df0633

Download Submit
C:\Program Files\PowerISO\Lang\Slovak.lng

Filesize
64KB

MD5
958db42d0e508626ac43828765d3bf8c

SHA1
69a5e785890964ab976efe8e415ee2c1965d898a

SHA256
0fdf647f874bf9f25f7541f5abf8b4cb961070051e38fb774693daecce6b1c29

SHA512
9f7a2829f1357290d70055c8b34f8155d22b8738609adc4e7fda9874bff7afcbe1a9c0058a90a4ff8d0022f3f23b4eb349c6285adcfa21de59fee63c8e9ec274

Download Submit
C:\Program Files\PowerISO\Lang\Spanish.lng

Filesize
113KB

MD5
ba8bd5031a2af05eba064b08e2305b3a

SHA1
67f57d33cda9c12338a49db3a82f97dedc56c1af

SHA256
cadac9fc02efb5922dc5cb89878de1228fdd10cd50ccc930f3bebb90313b2cb6

SHA512
f3e49e122f12d6d56ba46538aa6c31ba343cc7727fefa2467b7afac1331057e126d3b0d4da48791c8e7ca81dceab9b774c2d55be3428ca513b0f92db581f10dd

Download Submit
C:\Program Files\PowerISO\Lang\Swedish.lng

Filesize
60KB

MD5
584888d64db509b30515314812d8c9e1

SHA1
c71bf9dc84ad4d11c5d0067153398f0471b19841

SHA256
cf194b5adf22d4fa86391630b675a6a95c61c4d34662b8dd17e50758367e2ebc

SHA512
9eefa650073a470b531ac5199dcf0a49ef7bbf28f3188b5193829b67d44d4c99ea15ae379722b642e6e4b700be9dbb2347536b192c11268e55a2713846e0fe0c

Download Submit
C:\Program Files\PowerISO\Lang\Thai.lng

Filesize
40KB

MD5
eb7287a2f3386731a82482874d7b1480

SHA1
861738c334c0f055c6a7389ec683e52588a28323

SHA256
b02cff6bbad76ae35133d43e38d2066ea62b9bbdad10593533acc29abb0c688e

SHA512
decc184fdc4098d3a3ba216e4b522e973b3a879340e0b41c4745f5cef00f09503688a379323de95c55a57d5fee1e3fc84c56cc24133ccc2aeb0846961fba5060

Download Submit
C:\Program Files\PowerISO\Lang\TradChinese.lng

Filesize
44KB

MD5
52cf4ba46679fc398e6c48d9a2e0b9cf

SHA1
a475580f62d2169acf07858d0f5977f073e66e41

SHA256
2659df8e77660b90b842bf5bde4390c7b1e371abf27a62c28b0af20cfa37fbfb

SHA512
69b3bf9b6d8375c811f4332c58bde20e5957ad1fb1c7dc175745cf63d74c59cd8dbdeda7c8fd19013449ef9420c9f8741ea0099e5c69a3922dda2fe6f5bbdf1f

Download Submit
C:\Program Files\PowerISO\Lang\Turkish.lng

Filesize
105KB

MD5
7e33e7c592d94d166623ee775d89f82a

SHA1
5461026703760b2888c269691a0f1252862185a4

SHA256
9342917a8192c104218c571d647205126c25ae6c22c3e39c8e70a1208c0cb4f0

SHA512
af5d49e9b893fdc5ee1db756298001d042b33bb17dd88e16e75fe7a6299b2c24443648ccf53b4597445e9561f54733daade671eff0334bfad610d6eb232ab660

Download Submit
C:\Program Files\PowerISO\Lang\Ukrainian.lng

Filesize
102KB

MD5
fe29ab9dc277b5e94ae99c92e4d19191

SHA1
d77ccd90841711209fc6c59646751cd1240328ab

SHA256
6c703bb9b9812d735ff106650fd4205ab7ae1d6e7864cca1ae397bfe4519883c

SHA512
28d57eca05b5a000301b349a5a66cb369f00c3acce325c6952f87833506e52379920e015729b32a83be7b2fbe2dc197229b40ad9f42d3ccdc90c40113b4a5584

Download Submit
C:\Program Files\PowerISO\Lang\Urdu(Pakistan).lng

Filesize
53KB

MD5
38cfde2f37d4e7d11a992ce6aa3bfba8

SHA1
90aea403d5645172c3159325d2e0280c40cf52b1

SHA256
f76bbc98150882bb51cc052fe1a2882335c65bc8b1ec0b34bd118df8c18e3db2

SHA512
4344e20cbb9277f07877318e56d35b9c017b36f2b24e4baa4dfffa260e1a8eeab711d9cca6f49862ec591a14f2bd117d85d9cb735bbf0bc0eca15c398855f111

Download Submit
C:\Program Files\PowerISO\Lang\Vietnamese.lng

Filesize
44KB

MD5
94d849449c0244af9ca3eae11afbbb87

SHA1
4e3391af42c2d870b187e1d2ce4a91741dbf9b73

SHA256
043fe68126861476328c4844cd37b8174e24750bd606e62ae21a4de417ff818a

SHA512
b9a38f7f08eaebba65502a7e3757d02021b6724ff1067c06436097109386f4ba9e005443babbe5c3d9e9e6ed1c532466cc2dbe8f2d693907b2afaf49fd45fd95

Download Submit
C:\Program Files\PowerISO\Lang\croatian.lng

Filesize
61KB

MD5
b94e0fe2974e41da7639cb9691fc8c96

SHA1
28f490c0582088bb4790fd3c1430fc37662c6ed1

SHA256
b20d52aeaf8a51049ac2e9bfcdf5047b37e17acefc1b98ab982e9cabf7d2b8e7

SHA512
54df0156aa833eb661b8083e6415d9cee7928521d13329174680de34af263d87e8fc7291533acb52f1f23372681c2f6adda6b56f4bff97ade20fec807434ae37

Download Submit
C:\Program Files\PowerISO\Lang\czech.lng

Filesize
100KB

MD5
83fe45cc46a2cc45c9c9debb953ff043

SHA1
163984eb6a15b941ada0e49d31b00468058d70bc

SHA256
f2590b0d7f258deeb05870521620eed0be29a1a4afa523b577f0af779b9cd399

SHA512
c0bd17c699facb8f7bef8d71f8f59632220b56ebd12daf371cf9e047710a4453408eb6f8b3413542c1ec006c0e98ae496911a9f3c24f5e58cb655d8751778bc2

Download Submit
C:\Program Files\PowerISO\Lang\danish.lng

Filesize
57KB

MD5
16f6aa7bd28bede15f749c173ba26649

SHA1
a6a6773d1f97439890cbe73fb332e12e250d121f

SHA256
1b3ab2dd6dafb98f01855432efbe46da0b6043fa036b9de127b0f997281bd469

SHA512
e6046bd3191e75a41b46fac85e4e3decec76ce68d524ecbe879887b01dfc21c9ce7ec3d58579bf16ebc693d780bb8b075b3bd136a568f7662e984b91e0f473e2

Download Submit
C:\Program Files\PowerISO\Lang\french.lng

Filesize
120KB

MD5
c9cbe1f3a432ef6ec3a43d708862f9c6

SHA1
2445716626359ed6c7fcb00595daece9f85702d8

SHA256
f91a051d80c19ea8194985a2f9ca6d4c4e191a7492f9b1ebef13f423ed519f6f

SHA512
c29f761f96b6db9e92002a0b0d02f60d60266b3fd3fa6891a82f79ce14e90a687ce78806f3a4e3298a0b4b9e7cf0b8430265d7fdd1070ad8e899c7ef1298f03e

Download Submit
C:\Program Files\PowerISO\Lang\kazakh.lng

Filesize
58KB

MD5
6e690ee505ec2a4b8803e24ceba5ca43

SHA1
8d459424203ee2facbc8cb71208366a0b8a78157

SHA256
c651d03de96e44f2cd616ebbbfe67b9b0c4f5561318e1be87e424a61cd8a585a

SHA512
6c356e61cb916ed74f74578a2dcf615b96e7eaaf8b7ea9bedafea304d9111eaaa00b30e7fcbbc389f1508d5df6b8ab812badf46af94ee4976238049137e44983

Download Submit
C:\Program Files\PowerISO\Lang\slovenian.lng

Filesize
106KB

MD5
f7d98fda492a0bb4ce6fa03316d8aadf

SHA1
f8bf911da7b5c983fee6b52649bdb177e984decc

SHA256
ca81ec1a47a2a3e241c8ae26f3844e840af3b5be15a95216dee82f3ff5e4f8b8

SHA512
6b039a16d9a2a8817aab0b51fb2f54e9e47bcabb68d9cd9ff934441b15b3137ddbf89db68d65b5eea927649d96e274e5612ea0ba57ca79e8f277dc58064c8846

Download Submit
C:\Program Files\PowerISO\PWRISOSH.DLL

Filesize
361KB

MD5
42466823a6244f9e55e9d61f0e2dc8e9

SHA1
f7193e1727d3b5a6b462d4480bc0409408bbbd7c

SHA256
98394e30ed316fb1aaaa0a0ed72aa884f76f33c1f35c05c39efb5dde747444a8

SHA512
291ed14d0561c5ba57b274a0a380c826e38a1a80894ed3c90074f73bfe671814329f265072102b442a6d7c62ba176b46848f83369d80e4380bc2e60f3a9000d5

Download Submit
C:\Program Files\PowerISO\PWRISOVM.EXE

Filesize
452KB

MD5
b9e3a3d2a59693b08cc500068aa57035

SHA1
2577a8b66c35fb36aa3e7b7a8e4cc487b80c1b7f

SHA256
606a015016eeb8f9c795b75b3ac7f081fd6c0979aa6b6568ba39e0de058fd94f

SHA512
2beb90e9d34d79ea1e3a00327d2354806da12b16f9506d14a441814d03ac398792bd375cf5894f9bfa0ab967c34fe2eb564f04fe4c187ebae596592d62815120

Download Submit
C:\Program Files\PowerISO\PowerISO.exe

Filesize
6.1MB

MD5
b35ca1fe32c0952f756dfec1cd894dd5

SHA1
8ecdfbb4333eeb0b7c0df4fd0c9dc58f17d63257

SHA256
b6cb074ad499926bf8aaee9d7caf993739fbbce5cf19bbbc912c95c5f1111aa0

SHA512
8d80a7dcc32bea19cad8cf775fb98f60f5befbf4e1300a9bf6ad1ca49347653cdbb9860a912d36ee05279aece88795336408ed4f4572515c54d4e18ab792d893

Download Submit
C:\Program Files\PowerISO\devcon.exe

Filesize
69KB

MD5
9d199564b65a91a531b23844649459e9

SHA1
8d84359ced1c51d14e70cb5ed36a6083c8b914cf

SHA256
8dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42

SHA512
ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1

Download Submit
C:\Program Files\PowerISO\setup64.exe

Filesize
20KB

MD5
fdaf68ac10888345fc0dfedd070dbd07

SHA1
160e72adf208e42511274e7dd786975cfce4d4d2

SHA256
e69945c414a228f6299a30946401bbbb900d0b8a814e2ce8c5c44c12f130eb75

SHA512
943ae7c986ec48d24ebf9c83a3821ecfb36aa7bca0c010c7b53030c0ee30980c848177b5ec33fb2317f71dececa3bee5adf53393fb6f30f8f9b7d475965038a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\doomed\16818

Filesize
16KB

MD5
7357d3e790cd867daec6f3f6c352bd4e

SHA1
7bb2ad85f547f12ed9e0a850053b8bc9febcdede

SHA256
85337716fd2b56cd07a08b010cd3aa73919c772edb942c847130f1c839487be6

SHA512
b0cd31a5e6ca6779af570d993afb2c3f4a738c25919e8975138122007e09946e9043f6f4693a43e98645cfb876c3a66673352b8acd87874cc1556663e1ef73c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\doomed\7087

Filesize
16KB

MD5
f6b5f92c24eae0135b01c9bc5f603bd0

SHA1
85fa3872859862c811b7baf34cda2ebad53705d2

SHA256
2588ea8122b8b0c61762deb5d47467c206411b67cd421db1b422f43692bcdecf

SHA512
b66da9364d835c48f50fceced61035d616ff997c019b4c675847a2300828140674845cbc3243cb2be46a9270b2b5b9a4a6a2ab6418bfd68a31f3e5664d6c482f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PowerISO$\9BCE.tmp.ico

Filesize
2KB

MD5
4198afdeb9ace242c575ee572af22e1f

SHA1
32784594ec69ca459878010401c3931be8e5e15e

SHA256
b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

SHA512
d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi73EA.tmp\InstOpt.dll

Filesize
25KB

MD5
6a45ec125830c244261b28fe97fb9f9d

SHA1
f30e65fa3a84c9078bf29af4b4d08ec618a8e44f

SHA256
fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5

SHA512
5387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi73EA.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi73EA.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi73EA.tmp\nsi74D5.tmp

Filesize
29KB

MD5
c3b224d15a9036805575b2ff0bcefeda

SHA1
74779ae82a97e97d770435d097821810f16c97c5

SHA256
23d8aeff49ffbac9f9490e9739e059cd7064516dbcd693fe2de77830b127ff8a

SHA512
5a5d98cc9a4aca076049340a4645879a8e4a1d2e24a672015627446d7e3729acf0b64bc8a0f702b8da735d22607fe13ba3ef6a497a57891804576899b06bb461

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF5DD.tmp

Filesize
135KB

MD5
92eae8dec1f992db12aa23d9d55f264a

SHA1
add6697b8c1c71980e391619e81e0bada05e38ee

SHA256
d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee

SHA512
443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ce66bc81b18688e5c9200d04f93200cb

SHA1
15ee64b1c0f5cf119cea79702043b40ef933d5d2

SHA256
bb34957cfc66ad2d57971c955d1b3aa5a8dd7c80ba01f717112a427dca6877c3

SHA512
85d56f7f6d0d01c2ec0923c4c8dfc17c39752d5f706eac19617a6dabcb7848524c31c68b772814a56403508add5caa0049f67562587edd534d5460a4a08d9918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\2c2d40e7-cb9c-4dcd-8d76-e89f039ac6b1

Filesize
746B

MD5
b3aaace03139b20cda01192415692980

SHA1
1da0e6e42c2137c8fffba8b4f7777c03183b62f8

SHA256
d5fba1c70717b4f4f280a6f78b96639707bc3aa98dbc70ab127b97f6cdd36dcd

SHA512
8b876c8bb3fe066bd160d3bcf5f68afef872ccf4fe6eadc5b4b3b33b07ea111ecacaac3035f3253ced3f8cbd61031ec5183c000af97e677ea4d2595e2ded307a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\e6e21cfc-172d-4fb1-b624-a7e71e1f839b

Filesize
12KB

MD5
d60e9cd2d39f241d546b05903885814c

SHA1
3bab8f43fbd17deacb6cb5152737c64737b5e990

SHA256
3009f3b1d25ec1e11d81d35ff995afde66b8facef96c52ab922ac5c0262a6a7e

SHA512
61914c3ee2ea51fe67e3de15561d96e0b67d0ed407994e8405f6ccfcd4a64d0af832dea42ab0a738ced51a893ff1d84ed20ebbc747ada2a610c11edeff6f59c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js

Filesize
6KB

MD5
51d2f07750515d7c85fc1b890e68b79a

SHA1
c17974222dc6d424bf585ebd04a3bf23728c90ae

SHA256
5ce34208f8c7e9434b0abc7c45939a08f6ef35a5713cda829f4b974641817c98

SHA512
1f1c6aeed4580b98a622efea0b0eb7761df06133407013a9103feedc90ad8cbedcc1de3ac29924e29d44ff84663832c2db59e0781da439d2bfdf6f7870fb7052

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js

Filesize
6KB

MD5
243b73c388b9aac20a851690337a45e8

SHA1
a1b2762f521564934709563e9647aa2835664efd

SHA256
be6952d871e11959f830924d1415424fdad16d5b6630248333566366c7c8d50d

SHA512
5be11a01bb378e13b70eac1ae1ecb86f8a0641899529ab9a6455446e86a5644037a21d42bc6194e1e522afa64007b44d47c6a20208b34b458ecd2b1732ebfb1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js

Filesize
6KB

MD5
3948f59f507391c349b2582c7d6a03d3

SHA1
b48d2fd695f062accecb3e4a07ec0861ab4ace3d

SHA256
622717e1db82ea6e5cdd8d0bf9fe366ed9a9c55b865d5f05eedee847df51f505

SHA512
15f84747fba0c25336a888e26cd4a735a22344ad7d6e64ec6da6d1b9f59320deacba4f8446caf771a7444a192ffacab9128cd7361e76db36d59668da8afe9ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c2661e362ad736f1ff9d436abe022a80

SHA1
4a420140a58cf383df58f29873d81c02e17e3b5f

SHA256
365fab1bc4440c692f0d370f2c6359a4e0322df2cae4f846c610c25d35b2a578

SHA512
7ebd4a899a30cfee5e1fb89132c3cc956ab76660f93510d0678948ebd8483225c9d682d5b55b4b8b1669d3e6bb6269c4a3ddb7e6e57eae8c3afb02136f2fe8be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ecf3ed3a0d89be51e897c7aa6171a67f

SHA1
733a24b558cf37d69ae61ba6ef3a0f1755e3be96

SHA256
6a734c634c52ec14b951616b65a1d195b0009db009c011d9542ad9ef27eaae17

SHA512
57fa4d643338ec0aeb1c38f5f8a4ffdae24b303f4cb30c6895a43b46811c8d77666d1800e831529ffbb986d4a64158246c07585caf5d85eb7692fa6a8a67ad80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
16c0c50f7cb14b89ff9e3de534c3272a

SHA1
176b3507ea4e457da4f74d1284c73d36ca99feaa

SHA256
f1141f1da63e84d496008316649ca65ed26d8a69949fec065629f465ec6452c7

SHA512
398d465509a1b4602e6cc48c49ae157b0f117efa7d075c002e3e576636f5de465a7c90ebba0b4434de25c4308d6b79023eaa249106a1cad9ed5838bbc9324e94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b94f4d7304265cfced8ca51de6024189

SHA1
a8c743de02252f244f5abf10634a6839e1acf069

SHA256
b2fa4d8d3843c7438c37ad30f091971cd21719ce9a8d85bf369910056125093e

SHA512
f91fc455624986bd0424b82f59920eb29971e9140c877632f19ff69776b0d5e974229bedd9a2d0f02896af8a1388b4c32917712b253ba59a9c97c40b5201ce57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0db6aca187098a1c5c3d6d06b459b132

SHA1
863d742ba9f79016d379387b6a2c4ec190924611

SHA256
87f847c97ae7eaa959e1b746ffea88f7b663295acd03e4c92b3cbdb5fa4dffd9

SHA512
5689fe57505a55486ec4018327b971ee5845012c3f1c6834d31c99ef33242ab77a28b245a2f917389bc1694a73b2ec610220fa41d8ee4cc0d6e4026b9a3b2187

Download Submit
C:\Users\Admin\Downloads\PowerISO-Keygen-R2R.exe

Filesize
892KB

MD5
286f2b2ae2f1239aaf50977efd58bbf0

SHA1
d218ee788fd00555f9a08e6e530d24b0ff8d5a75

SHA256
0af9738750dcf5aa552d060fc514f93fc6273bab5ce9ddc4456917ca4bb216ff

SHA512
3e6e79d0bd3133ac26722b7fe078fc2e4708ce720435980a1412b57f7ab50aa4f77e5efa03e5393f18b42b019f47dde7425679d26935c3fc666e7a1e0e9a7650

Download Submit
memory/2400-247-0x00000296CEDC0000-0x00000296CEDC1000-memory.dmp

Filesize
4KB

Download
memory/2400-249-0x00000296CEDF0000-0x00000296CEDF1000-memory.dmp

Filesize
4KB

Download
memory/2400-250-0x00000296CEDF0000-0x00000296CEDF1000-memory.dmp

Filesize
4KB

Download
memory/2400-251-0x00000296CEF00000-0x00000296CEF01000-memory.dmp

Filesize
4KB

Download
memory/2400-215-0x00000296C6950000-0x00000296C6960000-memory.dmp

Filesize
64KB

Download
memory/2400-231-0x00000296C6A50000-0x00000296C6A60000-memory.dmp

Filesize
64KB

Download
memory/2740-27-0x0000000006840000-0x0000000006D6C000-memory.dmp

Filesize
5.2MB

Download
memory/2740-26-0x0000000006780000-0x00000000067E6000-memory.dmp

Filesize
408KB

Download
memory/2740-21-0x0000000074B10000-0x0000000074B20000-memory.dmp

Filesize
64KB

Download
memory/2740-20-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/2740-19-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2740-22-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/2740-23-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/2740-24-0x0000000006690000-0x00000000066D4000-memory.dmp

Filesize
272KB

Download
memory/2740-25-0x00000000066E0000-0x000000000677C000-memory.dmp

Filesize
624KB

Download
memory/2740-38-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2740-151-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/2740-34-0x00000000072C0000-0x00000000072CA000-memory.dmp

Filesize
40KB

Download
memory/2740-35-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2740-36-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2740-37-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/2740-15-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2740-124-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2740-39-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/5864-759-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5864-762-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/5864-771-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5864-772-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5864-773-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/5864-761-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/5864-782-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5864-783-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5864-785-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5864-790-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5864-792-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/5864-791-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5864-793-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5864-760-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download